James R. Mirick sets the record straight on things he cares about

The User Cost of Internet Security

We hear constantly of the cost of online security failures — of bank accounts vacuumed, of credit card numbers and passwords stolen, or of medical records compromised, a veritable drumbeat of disaster. But we seldom hear about the cost side of implementing security measures, especially the cost borne individuals like you and me who are exhorted to carry out these procedures. Even with the threat of all the losses, compromises, and penetrations, the Average User still has a pretty dismal record of taking even the most basic precautions to protect themselves. But why? Are we all just that stupid and lazy?

In this paper we argue for a third view, which is that users’ rejection of the security advice they receive is entirely rational from an economic viewpoint. The advice offers to shield them from the direct costs of attacks, but burdens them with increased indirect costs, or externalities. Since the direct costs are generally small relative to the indirect ones they reject this bargain. Since victimization is rare, and imposes a one-time cost, while security advice applies to everyone and is an ongoing cost, the burden ends up being larger than that caused by the ill it addresses.

So then, as he points out, Average Users aren’t stupid, they are pretty good intuitive cost-benefit analysts. The paper points out that “user effort is not free” although it is treated as such on virtually all analyses. In other words, most analysts look only at the loss side of the equation — what is being stolen — but not at the time and effort required of users taking steps to prevent these losses. This failure to account for the costs of implementing security procedures leads to lots of users (rationally) ignoring most of what various security gurus prescribe for them — instead of adopting reasonably-effective safeguards, then end up adopting almost none.

Just for example, with respect to the standard litany of “choose longer passwords, don’t re-use them across sites” and so on, Herley demonstrates that for an average user with about 25 distinct passworded accounts the actual benefit to the user disappears if the user has to spend more than a few minutes per year making up, remembering, and forgetting all their passwords. Of course, in reality most of us spend more than that per day dealing with passwords. He also points out that if the user falls victim to a phisher or has a trojan keylogger in his machine, all the standard password protections are rendered useless anyway.

And yet, financial institutions continue to insist on longer passwords with composition-complexity rules and have implemented various other schemes such as “security questions” or “secret pictures” and the like. None of these are very effective and do NOT per se reduce the likelihood of man-in-the-middle attacks, although it seems like they would. They mainly irritate users who forget what they answered for their first car’s horsepower, fail the test, and have to have the bank reset their password.

And even this incurs a significant cost: using Wells-Fargo data, a password reset costs the bank $10 in personnel time, and if 10% of their users do a reset every year, that would be a $48,000,000 cost to Wells, which is vastly higher than Wells’ share of the annual $60,00,000 phishing losses. Clearly in this case, the medicine is worse than the disease!

In addition to the security-related costs users are asked to absorb, they are also overwhelmed by the volume of advice dispensed by various security gurus (including yours truly, in retrospect). Naive users lack the technical expertise to carry these suggestions out, and their best efforts can often be readily subverted by evil-doers anyway. Herley points out that the US-CERT CyberSecurity Tips publication has 51 “tips,” each one backed up with a page or more of detailed instructions. No wonder they bail on security. Not only is it expensive, it’s incomprehensible.

Does this dismal state of affairs free us to give up and just ignore Internet security? Not at all! We still face threats that we CAN do something about, and we should. See my next post on What This Means.